feat(build): add secret obfuscation during single file bundling

Add Confuser setup in CI pipeline and integrate obfuscation directly into MSBuild process for single-file bundles. This enhances security by automatically obfuscating KeyAsio.Secrets.dll before bundling when PublishSingleFile is true. The CI workflow is simplified by removing redundant obfuscation steps for single-file bundles.

Author: Milkitic

.github/workflows/publish.yml

@@ -43,27 +43,25 @@ jobs:
             Set-Content -Path "src/Apps/KeyAsio/keyasio_private.key" -Value $env:OFFICIAL_PRIVATE_KEY
         }      
    
+    - name: Setup Confuser
+      shell: pwsh
+      run: |
+        mkdir Confuser -Force
+        Invoke-WebRequest ${{ secrets.CONFUSER_DLURL }} -OutFile "Confuser/cli.zip"
+        7z x "Confuser/cli.zip" -oConfuser/
+
     - name: Publish
       run: |
         echo ${{ github.ref }}      
-        dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained --configuration Release --output ci-publish-win64 -p:PublishReadyToRun=false
-        dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained --configuration Release --output ci-publish-win64-r2r -p:PublishReadyToRun=true
+        $ConfuserExe = "$(Get-Location)\Confuser\${{ secrets.CONFUSER_EXE }}"
+        dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained --configuration Release --output ci-publish-win64 -p:PublishReadyToRun=false -p:PublishSingleFile=true -p:ConfuserExe="$ConfuserExe"
+        dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained --configuration Release --output ci-publish-win64-r2r -p:PublishReadyToRun=true -p:PublishSingleFile=true -p:ConfuserExe="$ConfuserExe"
         dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained false --configuration Release --output ci-publish-win64-fd -p:PublishReadyToRun=false
         dotnet publish src/Apps/KeyAsio --framework net10.0 --runtime win-x64 --self-contained false --configuration Release --output ci-publish-win64-fd-r2r -p:PublishReadyToRun=true
    
-    - name: Confuser
+    - name: Confuser (Framework Dependent)
       shell: pwsh
       run: |
-        echo '<project outputDir="." baseDir=".\ci-publish-win64" xmlns="http://confuser.codeplex.com"><rule pattern="true" preset="maximum" inherit="false" /><module path="KeyAsio.Secrets.dll" /></project>'>confuse64.crproj
-        mkdir Confuser -Force
-        Invoke-WebRequest ${{ secrets.CONFUSER_DLURL }} -OutFile "Confuser/cli.zip"
-        7z x "Confuser/cli.zip" -oConfuser/
-        .\Confuser\${{ secrets.CONFUSER_EXE }}  -file ".\ci-publish-win64\KeyAsio.Secrets.dll" -targetfile "<AssemblyLocation>\<AssemblyFileName>" -anti_debug 1 -hide_calls 1 -control_flow 1 -flow_level 9 -virtualization 1 -naming stealth
-        del .\ci-publish-win64\KeyAsio.Secrets.pdb -Force
-
-        .\Confuser\${{ secrets.CONFUSER_EXE }}  -file ".\ci-publish-win64-r2r\KeyAsio.Secrets.dll" -targetfile "<AssemblyLocation>\<AssemblyFileName>" -anti_debug 1 -hide_calls 1 -control_flow 1 -flow_level 9 -virtualization 1 -naming stealth
-        del .\ci-publish-win64-r2r\KeyAsio.Secrets.pdb -Force
-
         .\Confuser\${{ secrets.CONFUSER_EXE }}  -file ".\ci-publish-win64-fd\KeyAsio.Secrets.dll" -targetfile "<AssemblyLocation>\<AssemblyFileName>" -anti_debug 1 -hide_calls 1 -control_flow 1 -flow_level 9 -virtualization 1 -naming stealth
         del .\ci-publish-win64-fd\KeyAsio.Secrets.pdb -Force
 
@@ -73,11 +71,7 @@ jobs:
     - name: Set dll path
       shell: pwsh
       run: | 
-        copy .\src\Apps\KeyAsio\DotNetDllPathPatcher.ps1 .\DotNetDllPathPatcher.ps1
-        .\src\Apps\KeyAsio\afterbuild.ps1 .\ci-publish-win64\KeyASIO.exe
-        .\src\Apps\KeyAsio\afterbuild.ps1 .\ci-publish-win64-r2r\KeyASIO.exe
-        .\src\Apps\KeyAsio\afterbuild.ps1 .\ci-publish-win64-fd\KeyASIO.exe
-        .\src\Apps\KeyAsio\afterbuild.ps1 .\ci-publish-win64-fd-r2r\KeyASIO.exe
+        echo "Skipping afterbuild.ps1"
 
     - name: Upload Artifacts
       if: contains(github.ref_name, 'alpha')

src/Apps/KeyAsio/KeyAsio.csproj

@@ -111,4 +111,13 @@
     <Message Text="Signing the published output assembly to $(PublishDir)..." Importance="High" />
     <Exec Command="pwsh -ExecutionPolicy Bypass -File &quot;$(MSBuildProjectDirectory)\..\..\Signer.ps1&quot; sign &quot;$(PublishDir)$(TargetFileName)&quot; &quot;$(MSBuildProjectDirectory)\keyasio_private.key&quot;" />
   </Target>
+
+  <Target Name="ObfuscateSecretsInBundle" BeforeTargets="GenerateSingleFileBundle" Condition="'$(ConfuserExe)' != '' And '$(PublishSingleFile)' == 'true'">
+    <Message Text="Obfuscating KeyAsio.Secrets.dll before bundling..." Importance="High" />
+    <PropertyGroup>
+        <SecretsDllPath>$(PublishDir)KeyAsio.Secrets.dll</SecretsDllPath>
+    </PropertyGroup>
+    <Exec Command="&quot;$(ConfuserExe)&quot; -file &quot;$(SecretsDllPath)&quot; -targetfile &quot;$(SecretsDllPath)&quot; -anti_debug 1 -hide_calls 1 -control_flow 1 -flow_level 9 -virtualization 1 -naming stealth" />
+  </Target>
+
 </Project>